In a recent development in the realm of cybersecurity, the China-aligned hacking group known as MirrorFace has set its sights on a diplomatic organization within the European Union. This incident represents the first instance of MirrorFace targeting an entity in this region, as per the findings disclosed in ESET’s APT Activity Report for the period spanning April to September 2024.

The modus operandi employed by the threat actor during this cyber assault involved leveraging the upcoming World Expo event scheduled for 2025 in Osaka, Japan, as a bait. ESET emphasized that despite this shift in geographic targeting, MirrorFace’s primary focus remains on Japan and events associated with the country. The group, also identified as Earth Kasha, is believed to operate under the APT10 umbrella, which encompasses other subgroups such as Earth Tengshe and Bronze Starlight. MirrorFace has been noted for its persistent targeting of Japanese organizations since at least 2019, with a more recent campaign in early 2023 expanding its scope to include Taiwan and India.

Over the years, MirrorFace has continually upgraded its arsenal of malware tools, incorporating backdoors like ANEL (also known as UPPERCT), LODEINFO, NOOPDOOR (aka HiddenFace), and a credential stealer named MirrorStealer. The cybersecurity experts at ESET have highlighted that MirrorFace’s attacks are meticulously executed, with the group averaging fewer than 10 attacks per year. The overarching objective behind these intrusions is centered around cyber espionage and the exfiltration of sensitive data. Furthermore, while diplomatic organizations have been on the receiving end of MirrorFace’s activities previously, the recent attack uncovered by ESET involved the transmission of a spear-phishing email with a link to a ZIP archive titled “The EXPO Exhibition in Japan in 2025.zip” hosted on Microsoft’s OneDrive platform.

Upon opening the archive, a Windows shortcut file was triggered (“The EXPO Exhibition in Japan in 2025.docx.lnk”), instigating a sequence that led to the deployment of ANEL and NOOPDOOR. Notably, the reappearance of ANEL after a hiatus of nearly five years raises intrigue within the cybersecurity community. This scenario unfolds amidst a broader landscape where threat actors affiliated with China, such as Flax Typhoon, Granite Typhoon, and Webworm, have shown a growing reliance on the SoftEther VPN to maintain access to compromised networks.

Another critical development in the cybersecurity domain involves the alleged breach of Singapore Telecommunications (Singtel) by the China-linked group Volt Typhoon as part of a larger campaign targeting telecommunications entities and critical infrastructure. Concurrently, U.S.-based telecommunication and network service providers like AT&T, Verizon, and Lumen Technologies have encountered the onslaught of a Chinese nation-state adversary collective known as Salt Typhoon (aka FamousSparrow and GhostEmperor). These incidents underscore the persistent threat posed by sophisticated cyber adversaries to critical infrastructure and national security assets.

Recent revelations by The Wall Street Journal have shed light on how these cyber intrusions orchestrated by Chinese threat actors have compromised the cellphone lines of high-profile officials, policymakers, and politicians in the U.S., along with infiltrating the communication providers of a key ally closely aligned with Washington. These incidents underscore the imperative for heightened vigilance and robust cybersecurity measures to thwart the growing menace posed by state-sponsored cyber threats.

In conclusion, the evolving cyber threat landscape dominated by sophisticated threat actors underscores the critical importance of organizations bolstering their cybersecurity defenses and remaining vigilant against emerging threats. The persistent targeting of diplomatic entities and critical infrastructure by state-sponsored hacking groups underscores the urgent need for proactive cybersecurity measures and information sharing to mitigate cyber risks effectively.

Извор линк